On 09.06.2010 02:18, Bil Corry wrote:
> Michal Zalewski's excellent "Browser Security Handbook" points out that different browsers handle multiple headers differently when only one header is suppose to be present (scroll down to "First HTTP header of the same name takes precedence?"):
>
> http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol
> ...
Interesting.
That text mentions the test
"Content-Length header value overrides actual content length?"
I have trouble understanding what this means... Unless the connection is
closed, or chunked encoding is in place, or the message is by definition
not having a body (HEAD response), there *is* no other signal than
Content-Length to find out the actual content length.
Michal, could you clarify what this test is about?
Best regards, Julian